Professional Documents
Culture Documents
Cisco Security Report
Cisco Security Report
Cybercriminals are taking advantage of the rapidly expanding attack surface found in todays any-to-any world, where individuals are using any device to access business applications in a network environment that utilizes decentralized cloud services. The Cisco 2013 Annual Security Report highlights global threat trends based on real-world data, and provides insight and analysis that helps businesses and governments improve their security posturing for the future. The report combines expert research with security intelligence that was aggregated from across Cisco, focusing on data collected during the 2012 calendar year.
Contents
The Nexus of Devices, Clouds, and Applications Endpoint Proliferation Services Reside in Many Clouds Blending of Business and Personal Use
Millennials and the Workplace
6 12 18 22
Big Data
A Big Deal for Todays Enterprises
28
32
Evolutionary Threats
New Methods, Same Exploits
50
Spam the Ever Present Security Outlook 2013 About Cisco Security Intelligence Operations
58 70 74
The any-to-any world and the Internet of Everything is an evolution in connectivity and collaboration that is unfolding rapidly. Its the nexus of devices, clouds, and applications.
While this evolution is not unexpected, todays enterprises may be unprepared for the reality of navigating an anyto-any worldat least, from a security perspective. The crux of the any-to-any issue is this: Were quickly reaching the point where it is increasingly less likely that a user is going to access a business through an enterprise network, says Chris Young, Senior Vice President of the Security and Government Group at Cisco. More and more, its about any device in any location coming over any instantiation of the network. Internetenabled devicessmartphones, tablets, and moreare trying to connect to applications that could be running anywhere, including in a public software-as-a-service (SaaS) cloud, in a private cloud, or in a hybrid cloud. At the same time, another evolution is under waya steady movement toward the formation of the Internet of Everything. This is the intelligent connection of: People: Social networks, population centers, digital entities Processes: Systems, business processes Data: World Wide Web, information Things: Physical world, devices and objects
More and more, its about any device in any location coming over any instantiation of the network. Internet-enabled devicessmartphones, tablets, and moreare trying to connect to applications that could be running anywhere.
Chris Young, Senior Vice President of the Security and Government Group at Cisco
The growth and convergence of people, processes, data, and things on the Internet will make networked connections more relevant and valuable than ever before.
Nancy Cam-Winget, Distinguished Engineer, Cisco
The Internet of Everything builds on an Internet of Things1 foundation by adding network intelligence that allows convergence, orchestration, and visibility across previously disparate systems. Connections in the Internet of Everything arent just about mobile devices or laptops and desktops, but also the rapidly growing number of machine-to-machine (M2M) connections coming online each day. These things are often objects we take for granted or rely on each day, and dont traditionally think of as being connectedsuch as a home heating system, a wind turbine, or a car. The Internet of Everything is a future state, to be sure, but is not so distant when the any-to-any issue is considered. And while it, too, will create security challenges for enterprises, it will bring new opportunities as well. Amazing things will happen and be created as the
Internet of Everything grows, says Nancy Cam-Winget, distinguished engineer, Cisco. The growth and convergence of people, processes, data, and things on the Internet will make networked connections more relevant and valuable than ever before. Ultimately, the Internet of Everything will create new capabilities, richer experiences, and unprecedented economic opportunities for countries, businesses, and individuals.
component is cloud data. By 2016, global cloud traffic will make up nearly two-thirds of total data center traffic. Piecemeal security solutions, such as applying firewalls to a changeable network edge, dont secure data that is now constantly in motion among devices, networks, and clouds. Even among data centerswhich now house organizations crown jewels (big data)virtualization is becoming more the rule than the exception. Addressing security challenges presented by virtualization and the cloud requires rethinking security postures to reflect this new paradigm perimeter-based controls and old models of access and containment need to be changed to secure the new business model.
Another complicating factor in the any-to-any equation is young, mobile workers. This group believes they should be able to do business wherever they happen to be and on whatever devices they have at hand.
the changing attitudes that college students and young professionals around the globe have toward work, technology, and security. The latest study shines even more light on these workers attitudes toward security, with a special focus on privacy and how much or how often a company can intrude on an employees desire to freely roam the Internet while at work. The 2012 Cisco Connected World Technology Report study also examines whether online privacy is still something that all users actively worry about.
Global data center traffic is expected to quadruple over the next five years, and the fastestgrowing component is cloud data. By 2016, global cloud traffic will make up nearly two-thirds of total data center traffic.
10
11
We are seeing some disturbing changes in the threat environment facing governments, companies, and societies.
John N. Stewart, Senior Vice President and Chief Security Officer at Cisco
shadow economy have centered their efforts in recent years on developing increasingly sophisticated techniques, Ciscos research makes clear that cybercriminals are often turning to well-known and basic methods to compromise users. The rise in distributed denial of service (DDoS) attacks over the past year is just one example of the trend toward whats old is new again in cybercrime. For several years, DDoS attackswhich can paralyze Internet service providers (ISPs) and disrupt traffic to and from targeted websites have been low on the list of IT security priorities for many enterprises. However, recent campaigns against a number of high-profile companies including U.S. financial institutions2 serve as a reminder that any cybersecurity threat has the potential to create significant disruption, and even irreparable damage, if an organization is not prepared for it. Therefore, when creating their business continuity management plans, enterprises would be wise to consider how they would respond to
and recover from a disruptive cyber eventwhether that event takes the form of a DDoS attack directed at the company; a critical, Internet-enabled manufacturing facility suddenly going offline; an advanced multistage attack by the criminal underground; or something else never before seen. While the IT security discussion has suffered more than its fair share of alarmism over the years, we are seeing some disturbing changes in the threat environment facing governments, companies, and societies, says John N. Stewart, Senior Vice President and Chief Security Officer at Cisco. Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a tipping point where the economic losses generated by cybercrime are threatening to overwhelm the economic benefits created by information technology. Clearly, we need new thinking and approaches to reducing the damage that cybercrime inflicts on the wellbeing of the world.
12
13
Endpoint Proliferation
The any-to-any evolution already involves billions of Internet-connected devices; in 2012, the number of these devices globally grew to more than 9 billion.
3
Considering that less than 1 percent of things in the physical world are connected today, there remains vast potential to connect the unconnected.4 It is projected that with an Internet that already has an estimated 50 billion things connected to it, the number of connections will increase to 13,311,666,640,184,600 by the year 2020. Adding just one more Internet-connected thing (50 billion + 1) will increase the number of connections by another 50 billion.5 As for the things that will eventually comprise the everything, they will range from smartphones to home heating systems to wind turbines to cars. Dave Evans, Ciscos Chief Futurist with the Internet Business Solutions Group, explains the concept of endpoint proliferation like this: When your car becomes connected to the Internet of Everything in the
near future, it will simply increase the number of things on the Internet by one. Now, think about the numerous other elements to which your car could be connectedother cars, stoplights, your home, service personnel, weather reports, warning signs, and even the road itself.6
When your car becomes connected to the Internet of Everything in the near future, it will simply increase the number of things on the Internet by one. Now, think about the numerous other elements to which your car could be connectedother cars, stoplights, your home, service personnel, weather reports, warning signs, and even the road itself.
David Evans, Chief Futurist, Cisco
14
15
Mobile
Data
In the Internet of Everything, connections are what matter most. The types of connections, not the number, are what create value between people, processes, data, and things. And eventually, the number of connections will dwarf the number of things.7 The explosion of new connections already becoming part of the Internet of Everything is driven primarily by the development of more and more IP-enabled devices, but also by the increase in global broadband availability and the advent of IPv6. The security risks posed by the Internet of Everything are not just related to the any-to-any endpoint proliferation that is bringing us closer, day by day, to an even more highly connected world, but also the opportunity for malicious actors to utilize even more inroads to compromise users, networks, and data. The new connections themselves create risk because they will generate even more data in motion that needs to be protected in real timeincluding the ballooning volumes of big data that enterprises will continue to collect, store, and analyze.
The Internet of Everything is quickly taking shape, so the security professional needs to think about how to shift their focus from simply securing endpoints and the network perimeter.
Chris Young, Senior Vice President of the Security and Government Group at Cisco
The Internet of Everything is quickly taking shape, so the security professional needs to think about how to shift their focus from simply securing endpoints and the network perimeter, says Chris Young. There will be too many devices, too many connections, and too many content types and applicationsand the number will only keep growing. In this new landscape, the network itself becomes part of the security paradigm that allows enterprises to extend policy and control over different environments.
In the Internet of Everything, connections are what matter most. The types of connections, not the number, are what create value between people, processes, data, and things.
16
17
PLATFORM
iPhone iPad BlackBerry Android Other
DEC 2010
DEC 2011
DEC 2012
TOTAL
controls. For example, users who want to check their email and calendar on their device are required to take Ciscos security profile that enforces remote wipe, encryption and passphrase. Social support has been a key component of the BYOD program at Cisco from the start. We rely heavily on [the enterprise collaboration platform] WebEx Social as our BYOD support platform, and its paid huge dividends, says Belding. We have more devices supported than ever before and, at the same time, weve had the fewest number of support cases. Our goal is that someday an employee can simply bring in any device and self-provision using the Cisco Identity Services Engine (ISE) and set up our core WebEx collaboration tools, including Meeting Center, Jabber, and WebEx Social. The next step for BYOD at Cisco, according to Belding, is to further improve security by increasing visibility and control over all user activity and devices, on both the physical network and virtual infrastructure, while improving the user experience. Caring about the user experience is a core consumerization of IT trend, says Belding. Were trying to apply this concept to our organization. We have to. I think what were seeing now is an IT-ization of users. Were beyond the point of them asking, Can I use this device at work? Now theyre saying, I understand you need to keep the enterprise secure, but dont interfere with my user experience.
We have more devices supported than ever before and, at the same time, weve had the fewest number of support cases. Our goal is that someday an employee can simply bring in any device and self-provision using the Cisco Identity Services Engine (ISE) and set up our core WebEx collaboration tools, including Meeting Center, Jabber, and WebEx Social.
Brett Belding, Senior Manager Overseeing Cisco IT Mobility Services
18
19
Global data center traffic is on the rise. According to the Cisco Global Cloud Index, global data center traffic is expected to quadruple over the next five years and will grow at a compound annual growth rate (CAGR) of 31 percent between 2011 and 2016.
10
Of this tremendous growth, the fastest-growing component is cloud data. Global cloud traffic will increase sixfold over the next five years, growing at a rate of 44 percent from 2011 to 2016. In fact, global cloud traffic will make up nearly two-thirds of total data center traffic by 2016.11 This explosion in cloud traffic raises questions about the ability of enterprises to manage this information. In the cloud, the lines of control are blurred: Can an organization place safety nets around its cloud data when they dont own and operate the data center? How can even basic security
tools such as firewalls and antivirus software be applied when the network edge cannot be defined? No matter how many security questions are raised, its clear more and more enterprises are embracing the benefits of cloudsand those
Global cloud traffic will increase sixfold over the next five years, growing at a rate of 44 percent from 2011 to 2016.
20
21
that have are not likely to return to a the private data center model. While the opportunities of the cloud for organizations are manyincluding cost savings, greater workforce collaboration, productivity, and a reduced carbon footprintthe possible security risks that enterprises face as a result of moving business data and processes to the cloud include:
Hypervisors
If compromised, this software that creates and runs virtual machines could lead to mass hacking or data compromise against multiple serversapplying the same ease of management and access that virtualization provides to a successful hack. A rogue hypervisor (taken control of by hyperjacking) can take complete control of a server.12
Virtualization and cloud computing create problems just like those of BYOD, but turned on their head, says Joe Epstein, former Chief Executive Officer of Virtuata, a company acquired by Cisco in 2012 that provides innovative capabilities for securing virtual machine-level information in data centers and cloud environments. High-value applications and high-value data are now moving around the data center. And the notion of virtual workloads makes enterprises uncomfortable. In the virtual environment, how do you know you can trust what youre running? The answer is that you havent been able to so farand that uncertainty has been a key barrier to cloud adoption. But Epstein notes that it is becoming increasingly difficult for enterprises to ignore virtualization and the cloud. The world is going to share everything, he says. Everything will be virtualized; everything will be shared. It will not make sense to continue running only private data centers; hybrid clouds are where IT is heading.
Virtualization and cloud computing create problems just like those of BYOD, but turned on their head... High-value applications and high-value data are now moving around the data center.
Joe Epstein, Former Chief Executive Officer of Virtuata
The answer to these growing cloud and virtualization challenges is adaptive and responsive security. In this case, security must be a programmable element seamlessly integrated into the underlying data center fabric, according to Epstein. In addition, security needs to be built in at the design phase, instead of being bolted on post-implementation.
A rogue hypervisor (taken control of by hyperjacking) can take complete control of a server.
22
23
Modern workersparticularly young Millennialswant the freedom to browse the web not only when and how they want to, but also with the devices they choose. However, they dont want these freedoms impinged upon by their employers, a situation that can spell tension for security professionals.
According to the 2012 Cisco Connected World Technology Report study, two-thirds of respondents believe employers should not track employees online activities on company-issued devices. In short, they do not think employers have any business monitoring such behavior. Only about one-third (34 percent) of workers surveyed say they dont mind if employers track their online behavior. Only one in five respondents say their employers do track their online activities on company-owned devices, while 46 percent say their employers do not track activity. Findings for the latest Connected World study also show that Millennials have strong feelings about employers tracking the online activity of workerseven those who report they work at organizations where such tracking does not occur.
Only one in five respondents say their employers do track their online activities on company-owned devices, while 46 percent say their employers do not track activity.
24
25
Compounding the challenges for security professionals, there appears to be a disconnect between what employees think they can do with their company-issued devices and what policies IT actually dictates about personal usage. Four out of 10 respondents say they are supposed to use company-issued devices for work activity only, while a quarter say they are allowed to use company devices for non work activity. However, 90 percent of IT professionals surveyed say they do indeed have policies that prohibit company-issued devices being used for personal online activityalthough 38 percent acknowledge that employees break policy and use devices for personal activities in addition to doing work. (You can find information about Ciscos approach to these BYOD challenges on page 16.)
information secure, while 17 percent say they trust most websites to keep their information private. However, 29 percent say that not only do they not trust websites to keep their information private, they also are very concerned about security and identity theft. Compare this to the idea of sharing data with an employer who has the context about who they are and what they do. Millennials are now entering the workplace and bringing with them new working practices and attitudes to information and the associated security thereof. They believe in the demise of privacythat its simply defunct in practice, and its in this paradigm that organizations must operatea concept that will be alarming to the older generation in the workplace, says Adam Philpott, Director, EMEAR Security Sales, Cisco. Organizations can, however, look to provide information security education to their employees to alert them to the risks and provide guidance on how best to share information and leverage online tools within the realms of data security.
Millennials are now entering the workplace and bringing with them new working practices and attitudes to information and the associated security thereof. They believe in the demise of privacythat its simply defunct in practice, and its in this paradigm that organizations must operatea concept that will be alarming to the older generation in the workplace.
Adam Philpott, Director, EMEAR Security Sales, Cisco
There appears to be a disconnect between what employees think they can do with their company-issued devices and what policies IT actually dictates about personal usage.
26
27
Social media has been a boon for many enterprises; the ability to connect directly with customers and other audiences via Twitter and Facebook has helped many organizations build brand awareness via online social interaction. The flip side of this lightning-fast direct communication is that social media can allow inaccurate or misleading information to spread like wildfire. It isnt hard to imagine a scenario in which a terrorist coordinates on-the-ground attacks by using misleading tweets with the intent to clog roads or phone lines, or to send people into the path of danger. One example: Indias government blocked hundreds of websites and curbed texts13 this summer in an attempt to restore calm in north-eastern part of the country after photographs and text messages were posted. The rumors prompted thousands of panicked migrant workers to flood train and bus stations. Similar social media disinformation campaigns have affected market prices as well. A hijacked Reuters Twitter feed reported that the Free Syrian Army had collapsed in Aleppo. A few days later, a Twitter feed was compromised, and a purported top Russian diplomat tweeted that Syrian President Bashar Al-Assad was dead. Before these accounts could be discredited, oil prices on international markets spiked.14 Security professionals need to be alert to such fast-moving and potentially damaging social media posts, especially if they are directed at the enterprise itselfand quick action is needed to defend networks from malware, alert employees to a bogus phishing attempt, re-route a shipment, or advise employees regarding safety. The last thing security executives want to do is alert managers to a breaking story that turns out to be a hoax. The first safeguard against falling for fabricated stories is to confirm the story across multiple sources. At one time, journalists did this job for us, so that by the time we read or heard the news, it was vetted. These days, many journalists are getting their stories from the same Twitter feeds that we are, and if several of us fall for the same story, we can easily mistake re-tweets for story confirmation. For fast-breaking news requiring quick action, your best bet may be to use the old-fashioned sniff test. If the story seems far-fetched, think twice before repeating or citing it.15
For fast-breaking news requiring quick action, your best bet may be to use the old-fashioned sniff test. If the story seems far-fetched, think twice before repeating or citing it.
28
29
Big Data
A Big Deal for Todays Enterprises
The business world is abuzz about big dataand the potential for analytics gold that can be mined from the vast volumes of information that enterprises generate, collect, and store.
The 2012 Cisco Connected World Technology Report examined the impact of the big-data trend on enterprisesand more specifically, their IT teams. According to the studys findings, about three-quarters (74 percent) of organizations globally are already collecting and storing data, and management is using analysis of big data to make business decisions. Additionally, seven in 10 IT respondents reported that big data will be a strategic priority for their company and IT team in the year ahead. As mobility, cloud, virtualization, endpoint proliferation, and other networking trends evolve or emerge, they will pave the way for even more big data and analytics opportunities for businesses. But there are security concerns about big data. The 2012 Connected World studys findings show that a third of respondents (32 percent) believe big data complicates security requirements and protection of data and networks because there is so much data and too many ways of accessing it. In short, big data increases the vectors and angles that enterprise security teams and security solutionsmust cover.
About 74 percent of organizations globally are already collecting and storing data, and management is using analysis of big data to make business decisions.
30
31
Korea, Germany, the United States, and Mexico had the highest percentages of IT respondents who believe big data complicates security.
Korea (45 percent), Germany (42 percent), the United States (40 percent), and Mexico (40 percent) had the highest percentages of IT respondents who believe big data complicates security. To help ensure security, the majority of IT respondentsmore than two-thirds (68 percent)believe the entire IT team should participate in strategizing and leading big data efforts within their companies. Gavin Reid, Director of Threat Research for Cisco Security Intelligence Operations, says Big data doesnt complicate securityit makes it possible. At Cisco we collect and store 2.6 trillion records every daythat forms the platform from which we can start incident detection and control. As for solutions designed to help enterprises both better manage and unlock the value of their big data, there are barriers to adoption. Respondents pointed to lack of budget, lack of time to study big data, lack of appropriate
solutions, lack of IT staff, and lack of IT expertise. The fact that almost one in four respondents globally (23 percent) said lack of expertise and personnel was an inhibitor to their enterprises ability to use big data effectively indicates a need for more professionals entering the job market to be trained in this area. The cloud is a factor in big data success, as well, according to 50 percent of IT respondents to the 2012 Connected World study. They believe their organizations need to work through cloud plans and deployments to make big data a worthwhile venture. This sentiment was prominent in China (78 percent) and India (76 percent), where more than three out of four respondents believed there was a dependency on cloud before big
data could truly take off. As a result, in some cases, the study indicates cloud adoption will impact the rate of adoptionand benefitsof big-data efforts. More than half of overall IT respondents also confirmed that big-data discussions within their companies are not fruitful yet. That is not surprising considering the market is just now trying to understand how to harness their big data, analyze it, and use it strategically. In some countries, however, big-data discussions are resulting in meaningful decisions on strategy, direction, and solutions. China (82 percent), Mexico (67 percent), India (63 percent), and Argentina (57 percent) lead in this regard, with well over half of the respondents from these countries claiming that big-data discussions in their organizations are well under wayand leading to solid actions and results. Three out of five IT respondents to the 2012 Connected World Report believe big data can help countries and their economies become more competitive in the global marketplace.
There are some countries where big-data discussions are resulting in meaningful decisions on strategy, direction, and solutions. China, Mexico, India, and Argentina lead in this regard, with well over half of the respondents from these countries claiming that big-data discussions in their organizations are well under wayand leading to solid actions and results.
As for solutions that are designed to help enterprises both better manage and unlock the value of their big data, there are barriers to adoption. Respondents pointed to lack of budget, lack of time to study big data, lack of appropriate solutions, lack of IT staff, and lack of IT expertise.
32
33
Many security professionalsand certainly a large community of online usershold preconceived ideas about where people are most likely to stumble across dangerous web malware.
The general belief is that sites that promote criminal activitysuch as sites selling illegal pharmaceuticals or counterfeit luxury goodsare most likely to host malware. Our data reveals the truth of this outdated notion, as web malware encounters are typically not the by-product of bad sites in todays threat landscape. Web malware encounters occur everywhere people visit on the Internetincluding the most legitimate of websites that they visit frequently, even for business purposes, says Mary Landesman, Senior Security Researcher with Cisco. Indeed, business and industry sites are one of the top three categories visited when a malware encounter occurred. Of course, this isnt the result of business sites that are designed to be malicious. The dangers, however, are often hidden in plain sight through exploit-laden online ads that are distributed to legitimate websites, or hackers targeting the user community on the common sites they use most. In addition, malware-infected websites are prevalent across many countries and regionsnot just in one or two countries, dispelling the notion that some countries websites are more likely to host malicious content than others. The web is the most formidable malware delivery mechanism weve seen to date, outpacing even the most prolific
Dangers are often hidden in plain sight through exploit-laden online ads.
34
35
worm or virus in its ability to reach and infecta mass audience silently and effectively, says Landesman. Enterprises need protection, even if they block common bad sites, with additional granularity in inspection and analysis.
encounters, fell dramatically to sixth position in 2012. Denmark and Sweden now hold the third and fourth spots, respectively. The United States retains the top ranking in 2012, as it did in 2011, with 33 percent of all web malware encounters occurring via websites hosted in the United States. Changes in geographical location between 2011 and 2012 likely reflect both changes in detection and user habits. For example, malvertising, or malware delivered via online ads, played a more significant role in web malware encounters in 2012 than in 2011. It is worth repeating that web malware encounters most frequently occur via normal browsing of legitimate websites that may have been compromised or are unwittingly serving malicious advertising. Malicious advertising can impact any website, regardless of the sites origin. Overall, the geographical data for 2012 demonstrates that the web is an equal-opportunity infectorcontrary to the perceptions that only one or two countries are responsible for hosting web malware or that any one country is safer than another. Just as the dynamic content delivery of Web 2.0 enables the monetization of websites across the globe, it can also facilitate the global delivery of web malware.
250 or less 251500 5011000 10012500 25015000 500110,000 10,00125,000 Above 25,000
All companiesregardless of sizeface significant risk of web malware encounters. Every organization should focus on the fundamentals of securing its network and intellectual property.
36
37
4.07%
United Kingdom
10
Denmark
4
9.55%
9.27%
Sweden
1.95% 1
7
9
3
5
Ireland
2.27%
2
8
Russia
9.79%
Netherlands
6.11%
Germany
China
2.63% 33.14%
5.65%
Turkey
United States
Overall, the geographical data for 2012 demonstrates that the web is an equal-opportunity infectorcontrary to the perceptions that only one or two countries are responsible for hosting web malware or that any one country is safer than another.
38
39
Exploit 9.8%
Infostealing 3.4%
Downloader 1.1% Malscript/iframe Worm 0.89% Virus 0.48% Mobile 0.42% Scareware 0.16% Ransomware 0.058% Malware/Hack Kit 0.057% Android Growth 83.4%
Of course, there is a distinct difference between where a web malware encounter occurs and where the malware is actually hosted. In malvertising, for example, the encounter typically occurs when visiting a reputable, legitimate website that happens to carry third-party advertising. However, the actual malware intended for delivery is hosted on a completely different domain. Since Ciscos data is based on where the encounter occurred, it has no bearing on actual malware origin. For instance, increased popularity of social media and entertainment sites in Denmark and Sweden, coupled with malvertising risks, is largely responsible for increased encounters from sites hosted in those regions but is not indicative of actual malware origin.
the first documented Android botnet in the wild, indicating that mobile malware developments in 2013 bear watching. While some experts are claiming Android is the biggest threat or should be a primary focus for enterprise security teams in 2013 the actual data shows otherwise. As noted above, mobile web malware in general makes up less than 1 percent of total encountersfar from the doomsday scenario many are detailing. The impact of BYOD and the proliferation of devices cannot be overstated, but organizations should be more concerned with threats such as accidental data loss, ensuring employees do not root or jailbreak their devices, and only install applications from official and trusted distribution channels. If users choose to go outside official mobile app stores, they should ensure, before downloading an app, that they know and trust the apps author and can validate that the code has not been tampered with. Looking at the wider landscape for web malware, it is not surprising that malicious scripts and iFrames comprised 83 percent of encounters in 2012. While this is relatively consistent with previous years, its a finding worthy of reflection.
40
41
These types of attacks often represent malicious code on trusted webpages that users may visit every day meaning an attacker is able to compromise users without even raising their suspicion. Exploits take the second spot, with 10 percent of the total number of web malware encounters last year. However, these figures are largely a result of where the block occurred versus actual concentration of exploits on the web. For example, the 83 percent of malicious scripts and hidden iFrames are blocks that occur at an earlier stage, prior to any exploit rendering; hence, they may artificially decrease the number of exploits observed. Exploits remain a significant cause of infection via the web, and their continued presence underscores the need for vendors to adopt security best practices in their product life cycles. Organizations should focus on security as part of the product design and development process, with timely vulnerability disclosures, and prompt/ regular patch cycles. Organizations and users also need to be made aware of the security risks associated with using products that are no longer supported by vendors. It is also critical for organizations to maintain a core
vulnerability management process and for users to keep to their hardware and software up to date. Rounding out the top five are infostealers, with 3.5 percent of the total web malware encounters in 2012, downloaders (1.1 percent), and worms (0.8 percent). Once again, these numbers are a reflection of where the block occurs, generally at the point in which the malicious script or iFrame is first encountered. As a result, these numbers are not reflective of the actual number of infostealers, downloaders, or worms being distributed via the web.
65.05%
33.81%
0.00%
The high concentration of Java exploits shows that these vulnerabilities are attempted prior to other types of exploits and also demonstrates that attackers are finding success with Java exploits.
42
43
demonstrates that attackers are finding success with Java exploits. Additionally, with over 3 billion devices running Java,16 the technology represents a clear way for hackers to scale their attacks across multiple platforms. Two other cross-platform technologiesPDF and Flashtook the second and third spots in Ciscos analysis of the top content types for malware distribution. Though Active X is still being exploited, Cisco researchers have seen a consistently low use of the technology as a vehicle for malware. However, as noted earlier regarding Java, lower numbers of certain types of exploits are largely a reflection of the order in which exploits are attempted. In examining media content, Cisco data reveals almost twice as much image-based malware than non-Flash video. However, this is due, in part, to the way browsers handle declared content types, and attackers efforts to manipulate these controls by declaring erroneous content types. In addition, malware command-andcontrol systems often distribute server information via comments hidden in ordinary image files.
Advertisements 16.81%
Games 6.51%
Web Hosting 4.98% Search Engines & Portals 4.53% Computers & Internet 3.57% Shopping 3.57% Travel 3.00%
Online Communities 2.66% Entertainment 2.57% Online Storage & Backup 2.27% News 2.18% Sports & Recreations 2.10% File Transfer Services 1.50% SaaS & B2B 1.40%
Transportation 1.11%
Education 1.17%
The vast majority of web malware encounters actually occur via legitimate browsing of mainstream websites. In other words, the majority of encounters happen in the places that online users visit the mostand think are safe.
44
45
Cybercriminals have paid close attention to modern browsing habits to expose the largest possible population to web malware.
Looking further down the list of site categories through which malware encounters occurred, business and industry siteswhich include everything from corporate sites to human resources to freight services are in third place. Online gaming is in fourth place, followed by web hosting sites and search engines in fifth and sixth places, respectively. The top 20 website categories are absent of sites typically thought of as malicious. There is a healthy mix of popular and legitimate site types such as online shopping (#8), news (#13), and SaaS/business-to-business applications (#16). Cybercriminals have paid close attention to modern browsing habits to expose the largest possible population to web malware. Where the online users are, malware creators will follow, taking advantage of trusted websites through direct compromise or thirdparty distribution networks.
20% 13%
Ads
9% 36% 22%
Online Video
Search Engine
If the data on the top websites visited across the Internet is correlated with the most dangerous category of website, the very same places online users have the most exposure to malware, such as search engines, are among the top areas that drive web malware encounters.
Organizations of all sizes are embracing social media and online video; most major brands have a presence on Facebook and Twitter, and many are integrating social media into their actual products.
If the data on the top websites visited across the Internet is correlated with the most dangerous category of website, the very same places online users have the most exposure to malware, such as search engines, are among the top areas that drive web
malware encounters. This correlation shows once again that malware creators are focused on maximizing their ROIand therefore, they will center their efforts on the places where the number of users and ease of exposure are greatest.
46
47
Malware camouflage is an emerging threat that security professionals may increasingly face. While most malware already uses simple mutation or obfuscation to diversify and make itself harder to reverse-engineer, self-camouflaging malware is even stealthier, blending in with the specific software already present on each system it infects. This can elude defenses that look for software anomalies like runtime unpacking or encrypted code, which often expose more conventional malware. The latest self-camouflaging malware technologyappropriately dubbed Frankenstein17is a product of our research this year in the Cyber Security Research and Education Center at The University of Texas at Dallas. Like the fictional mad scientist in Mary Shelleys 1818 horror novel, Frankenstein malware creates mutants by stealing body parts (i.e., code) from other software it encounters and stitches the code together to create unique variants of itself. Each Frankenstein mutant is therefore composed entirely of non-anomalous, benignlooking software; performs no suspicious runtime unpacking or encryption; and has access to an ever-expanding pool of code transformations learned from the many programs it encounters. Under the hood, Frankenstein brings its creations to life using an array of techniques drawn from compiler theory and program analysis. Victim binaries are first scanned for short byte sequences that decode to potentially useful instruction sequences, called gadgets. A small abstract interpreter next infers the possible semantic effects of each gadget discovered. Backtracking search is then applied to discover gadget sequences that, when executed in order, have the effect of implementing the malware payloads malicious behavior.
In general, our research suggests that next-generation malware may increasingly eschew simple mutations based on encryption and packing in favor of advanced metamorphic binary obfuscations like those used by Frankenstein.
Each such discovered sequence is finally assembled to form a fresh mutant. In practice, Frankenstein discovers over 2,000 gadgets per second, accumulating over 100,000 from just two or three victim binaries in under five seconds. With such a large gadget pool at their disposal, the resulting mutants rarely share any common instruction sequences; each therefore looks unique. In general, our research suggests that next-generation malware may increasingly eschew simple mutations based on encryption and packing in favor of advanced metamorphic binary obfuscations like those used by Frankenstein. Such obfuscations are feasible to implement, support rapid propagation, and are effective for concealing malware from the static analysis phases of most malware detection engines. To counter this trend, defenders will need to deploy some of the same technologies used to develop Frankenstein, including static analyses based on semantic, rather than syntactic, feature extraction, and semantic signatures derived from machine learning18 rather than purely manual analysis. This article reports research supported in part by National Science Foundation (NSF) award #1054629 and U.S. Air Force Office of Scientific Research (AFOSR) award FA9550-10-10088. Any opinions, findings, conclusions, or recommendations expressed are those of the author and do not necessarily reflect those of the NSF or AFOSR.
Like the fictional mad scientist in Mary Shelleys 1818 horror novel, Frankenstein malware creates mutants by stealing body parts (i.e., code) from other software it encounters and stitches the code together to create unique variants of itself.
17
Vishwath Mohan and Kevin W. Hamlen. Frankenstein: Stitching Malware from Benign Binaries. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), pp. 77-84, August 2012. Mohammad M. Masud, Tahseen M. Al-Khateeb, Kevin W. Hamlen, Jing Gao, Latifur Khan, Jiawei Han, and Bhavani Thuraisingham. Cloud-based Malware Detection for Evolving Data Streams. ACM Transactions on Management Information Systems (TMIS), 2(3), October 2011.
18
48
49
2012 Vulnerability and Threat Analysis Total Reamp New Total Reamp New
The Vulnerability Threat chart shows increase threat 417and 259 158 Categories 417 552 344 in 208 552totals January 403 237 166a significant 403 in 2012, threats increased 19.8 percent over 2011. This sharp increase in threats is placing 551 317 234 1103 February 430 253 177 847 400 176 224 803 a serious strain on the ability of organizations to keep vulnerability management systems 487 238 249 1590 March 518 324 194 1364 501 276 225 1304 updated and patchedespecially given the shift to virtual environments. 524 306 218 2114 April 375 167 208 1740 475 229 246 1779 Organizations are also to address the increasing of third-party open174 attempting 148 2062 343 243and 2700 May 322 404 185 219 2183 use 586 source software included in their products and in their environments. Just one vulnerability 647 389 258 3347 June 534 294 240 2596 472 221 251 2655 in third-party or open-source solutions can impact a broad range of systems across the 514 277 237 3861 July 422 210 212 3018 453 213 240 3108 environment, which makes it very difficult to identify and patch or update all those systems, 541 286 255 3559 591 306 285 4452 August 474 226 248 3582 says Jeff Shipley, Manager of Cisco Security Research and Operations. 572 330 242 5024 September 357 167 190 3916 441 234 207 4023 As October for the types of threats, the largest group is resource management threats; generally 418 191 227 4334 517 280 237this 5541 558 314 244 4581 includes denial of service vulnerabilities, input validation threats such as SQL injection 375 175 200 5916 November 476 252 224 4810 357 195 162 4938 and cross-site scripting errors, and buffer overflows that result in denial of service. The 376 183 193 6292 December 400 203 197 5210 363 178 185 5301 preponderance of similar threats from previous years, combined with the sharp increase in threats, indicates the security industry to become better at detecting 5210that 2780 2430 5301needs 2684 2617 6292equipped 3488 2804 and handling these vulnerabilities. The Cisco IntelliShield Alert Urgency Ratings reflect the level of threat activity related to specific vulnerabilities. The substantial increase in Level 3 urgency ratings indicates that 2010 2011 2012 8000 more vulnerabilities are actually being exploited. This is likely due to the increase in publicly 7000 released exploits either by researchers or test tools, and the incorporation of those exploits 6000 into attack toolkits. These two factors are allowing more exploits to be available and used 5000 across 4000 the board by hackers and criminal groups. The Cisco IntelliShield Alert Severity Ratings reflect the impact level of successful 2000 vulnerability 1000 exploits. The severity ratings also show a noticeable increase in Level 3 0 the same reasons indicated above relating to the ready availability of threatsfor J F M A M J J A S O N D exploit tools.
3000
January February March April May June July August September October November December
417 259 158 417 430 253 177 847 518 324 194 1364 375 167 208 1740 322 174 148 2062 534 294 240 2596 422 210 212 3018 541 286 255 3559 357 167 190 3916 418 191 227 4334 476 252 224 4810 400 203 197 5210
5210 2780 2430
403 237 166 403 400 176 224 803 501 276 225 1304 475 229 246 1779 404 185 219 2183 472 221 251 2655 453 213 240 3108 474 226 248 3582 441 234 207 4023 558 314 244 4581 357 195 162 4938 363 178 185 5301
5301 2684 2617
552 344 208 552 551 317 234 1103 487 238 249 1590 524 306 218 2114 586 343 243 2700 647 389 258 3347 514 277 237 3861 591 306 285 4452 572 330 242 5024 517 280 237 5541 375 175 200 5916 376 183 193 6292
6292 3488 2804
2010
2011
2012
Just one vulnerability in third-party or open-source solutions can impact 2010 2011 a broad Rating range of systems across the environment, which makes it 2012 very Rating difficult Urgency to identify and patch or update all those systems. Severity 3 3
Jeff Shipley, Manager, Cisco Security Research and Operations
Urgency 4 Urgency 5
0 10 20 30 40 50 60
Severity 4 Severity 5
0 500 1000 1500 2000
50
51
Evolutionary Threats
New Methods, Same Exploits
Anything goes when it comes to cyber exploits todayas long as the method selected will get the job done.
This is not to say that actors in the shadow economy do not remain committed to creating ever-more sophisticated tools and techniques to compromise users, infect networks, and steal sensitive data, among many other goals. In 2012, however, there was a trend toward reaching back to oldies but goodies to find new ways to create disruption or evade enterprise security protections. DDoS attacks are a primary example several major U.S. financial institutions were the high-profile targets of two major and related campaigns launched by foreign hacktivist groups in the last six months of 2012 (for detailed analysis, see the 2012 Distributed Denial of Service Trends section). Some security experts warn that these events are just the beginning and that hacktivists, organized crime rings, and even nation states will be the perpetrators19 of these attacks in the future, working both collaboratively and independently. We are seeing a trend in DDoS, with attackers adding additional context about their target site to make the outage more significant, says Gavin Reid, Director of Threat Research for Cisco Security Intelligence Operations, Instead of doing a SYN flood, the DDoS now attempts to manipulate a specific application in the organization potentially causing a cascading set of damage if it fails.
In 2012 there was a trend toward reaching back to oldies but goodies to find new ways to create disruption or evade enterprise security protections.
52
53
Even against a sophisticatedbut averageadversary, the current state of the art in network security is often significantly outmatched.
Gregory Neal Akers, Senior Vice President for the Advanced Security Initiatives Group at Cisco
While enterprises may believe they are adequately protected against the DDoS threat, more than likely their network could not defend against the type of high-volume and relentless DDoS attacks witnessed in 2012. Even against a sophisticatedbut averageadversary, the current state of the art in network security is often significantly outmatched, says Gregory Neal Akers, Senior Vice President for the Advanced Security Initiatives Group at Cisco.
Another trend in the cybercrime community revolves around the democratization of threats. We are increasingly seeing that the tools and techniquesand intelligence about how to exploit vulnerabilities are being broadly shared in the shadow economy today. Tradecraft capabilities have evolved a great deal, Akers says. Were now seeing more specialization and more collaboration among malicious actors. Its a threat assembly line: Someone develops a bug, someone else writes the malware, another person designs the social engineering component, and so on. Creating potent threats that will help them gain access to the large volumes of high-value assets coming across the network is one reason that cybercriminals are combining their expertise more often. But like any realworld organization that outsources tasks, efficiency and cost savings are among the primary drivers for the build-a-threat approach in the cybercrime community. The freelance talent hired for these tasks typically advertise their skills and pay rates to the broader cybercrime community via secret online marketplaces.
54
55
Transmission Control Protocol, Src Port: 32883 (32883), Dst DCE RPC Bind, Fragment: Single, FragLen: 820, Call: 0 Version: 5 Version (minor): 0 Packet type: Bind (11) Packet Flags: 0x03 Data Representation: 10000000 Frag Length: 820 Auth Length: 0 Call ID: 0 Max Xmit Frag: 5840 Max Recv Frag: 5840 Assoc Group: 0x00000000 Num Ctx Items: 18 Context ID: 0 Num Trans Itms: 1 Interface UUID: c681d4c7-7f36-33aa-6cb8-535560c3f0e9 Context ID: 1 Num Trans Items: 1 Interface UUID: 2ec29c7e-6d49-5e67-9d6f-4c4a37a87355
Cybercriminals are constantly evolving new techniques to bypass security devices. Cisco researchers watch vigilantly for new techniques and the weaponization of well-known techniques.
Cisco Security Research and Operations runs several malware labs to observe malicious traffic in the wild. Malware is intentionally released in the lab to ensure security devices are effective; computers are also left intentionally vulnerable and exposed to the Internet.
56
57
CASE STUDY
Operation Ababil
During September and October 2012, Cisco and Arbor Networks monitored a targeted and very serious DDoS attack campaign known as Operation Ababil, which was aimed at U.S.-based financial institutions. The DDoS attacks were premeditated, focused, advertised before the fact, and executed to the letter. Attackers were able to render several major financial sites unavailable to legitimate customers for a period of minutesand in the most severe instances, hours. Over the course of the events, several groups claimed responsibility for the attacks; at least one group purported to be protesting copyright and intellectual property legislation in the United States. Others broadcast their involvement as a response to a YouTube video offensive to some Muslims. From a cybersecurity standpoint, Operation Ababil is notable because it took advantage of common web applications and hosting servers that are as popular as they are vulnerable. The other obvious and uncommon factor used in this series of attacks was that simultaneous attacks, at high bandwidth, were launched against multiple companies in the same industry (financial). As is often seen in the security industry, whats old is new again. On September 18, 2012, Cyber Fighters of Izz ad-Din al-Qassam posted on Pastebin29 beseeching Muslims to target major financial institutions and commodities trading platforms. The threats and specific targets were put up for the world to see and continued for four consecutive weeks. Each week, new threats with new targets were followed up by actions at the appointed times and dates. By the fifth week, the group stopped naming targets but made it clear that campaigns would continue. As promised, the campaigns renewed in earnest in December 2012, once again targeting multiple large U.S. financial organizations. Phase 2 of Operation Ababil was also announced on Pastebin.30 Instead of infected machines, a variety of PHP web applications, including the Joomla Content Management System, served as the primary bots in the campaign. Additionally, many WordPress sites, often using the out-of-date TimThumb plug-in, were being compromised around the same time. The attackers often went after unmaintained servers hosting these applications and uploaded PHP webshells to deploy further attack tools. The concept of command and control did not apply in the usual manner, however; the attackers connected to the tools directly or through intermediate servers, scripts, and proxies. During the cyber events in September and October 2012, a wide array of files and PHP-based tools were used, not just the widely reported tsoknoproblembro (aka Brobot). The second round of activity also utilized updated attack tools such as Brobot v2. Operation Ababil deployed a combination of tools with vectors crossing application-layer attacks on HTTP, HTTPS, and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP, and other IP protocols. Ciscos analysis showed that the majority of packets were sent to TCP/UDP port 53 (DNS) or 80 (HTTP). While traffic on UDP port 53 and TCP port 53 and 80 represent normally valid traffic, packets destined for UDP port 80 represent an anomaly not commonly used by applications. A detailed report of the patterns and payloads of the Operation Ababil campaign can be found in Cisco Event Response: Distributed Denial of Service Attacks on Financial Institutions.31
Lessons Learned
While they are a critical part of any network security portfolio, IPS and firewall devices rely on stateful traffic inspection. Application-layer techniques used in the Operation Ababil campaign easily overwhelmed those state tables and, in several cases, caused them to fail. Intelligent DDoS mitigation technology was the only effective countermeasure. Managed security services and ISPs have their limits. In a typical DDoS attack, the prevailing wisdom says to deal with volumetric attacks in the network. For application-layer campaigns that are deployed closer to the victim, these should be addressed at the data center or on the customer edge. Because multiple organizations were targeted concurrently, network scrubbing centers were strained. It is critical to keep hardware and software current on DDoS mitigation appliances. Older deployments are not always able to deal with newer threats. It is also important to have the right capacity in the right locations. Being able to mitigate a large attack is useless if traffic cannot be channeled to the location where the technology has been deployed. While cloud or network DDoS mitigation typically has much higher bandwidth capacity, on-premise solutions provide better reaction time against, control of, and visibility into the attacks. Combining the two makes for a more complete solution. In conjunction with cloud and network DDoS technologies, and as part of the collateral produced for the Operation Ababil events, Cisco has outlined detection and mitigation techniques in the Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions Applied Mitigation Bulletin.32 These techniques include the use of Transit Access Control List (tACL) filtering, NetFlow data analysis, and unicast Reverse Path Forwarding (uRPF). In addition, there are a number of best practices that should be regularly reviewed, tested, and implemented that will greatly help enterprises to prepare for and react to network events. A library of these best practices can be found by referencing the Cisco SIO Tactical Resources33 and Service Provider Security Best Practices.34
58
59
Spam volumes are continuing to decline worldwide, according to Ciscos research, but spam remains a go-to tool for many cybercriminals, who view it as an efficient and expedient way to expose users to malware and facilitate a wide range of scams.
However, despite the perception that malware is typically deployed through spam email attachments, Ciscos research shows that very few spammers today rely on this method; instead, they turn to malicious links within the email as a far more efficient distribution mechanism. Spam is also less scattershot than in the past, with many spammers preferring to target specific groups of users with the hope of generating higher returns. Name-brand pharmaceuticals, luxury watch brands, and events such as tax season top the list of things that spammers promote most in their campaigns. Over time, spammers have learned that the quickest way to attract clicks and purchasesand to generate a profitis to leverage spoofed brands and take advantage of current events that have the attention of large groups of users.
60
61
4.19%
China
4.60%
Korea
Russia
2 2.72%
10
3.88%
6 4 8 1 5 12.3% 3
11.38%
India
4.00%
Vietnam
2.94%
Taiwan
English 79%
Russian 5%
Catalan 3%
Japanese 3%
Danish 2%
German French 1% 1%
Romanian Spanish 1% 1%
Chinese 1%
High-volume spam is more likely to be noticed by mail providers and shut down before its purpose can be fulfilled.
Spam Language
62
63
In 2012, there were several examples of spammers using news about world eventsand even human tragedyto take advantage of users.
SPAM VOLUMES
In 2011, overall global spam volumes were down 18 percent. This is far from the dramatic drop in volume seen in 2010 following the botnet takedowns, but the continued downward trend is a positive development nonetheless. Spammers continue their focus on minimizing effort while maximizing impact. According to Ciscos research, spam volumes fall by 25 percent on weekends, when users are often away from their email. Spam volumes rise to the highest levels on Tuesday and Wednesdayan average of 10 percent higher than on other weekdays. This heightened activity in the middle of the week and lower volumes on the weekend allow spammers to live normal lives. It also gives them time to spend crafting tailored campaigns based on world events early in the week that will help them to generate a higher response rate to their campaigns.
-18%
MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY SUNDAY
+10%
Spam Origination
In the world of spam, some countries remain the same while others dramatically change their rankings. In 2012, India retains the top spot as a source of spam worldwide, with the United States moving up from sixth in 2011 to second in 2012. Rounding out the top five spam-originating countries are Korea (third), China (fourth) and Vietnam (fifth). Overall, the majority of spammers focus their efforts on creating spam messages that feature the languages
-25%
spoken by the largest audiences who use email on a regular basis. According to Ciscos research, the top language for spam messages in 2012 was English, followed by Russian, Catalan, Japanese, and Danish. Of note, there are gaps between where spam is being sent from and the
languages that are being used in the spam message; for example, while India was the number one spam-originating country in 2012, local dialects did not break the top 10 in terms of languages used in spam sent from India. The same was true for Korea, Vietnam, and China.
64
65
Only 3 percent of spam has an attachment versus 25 percent of valid email, but spam attachments are 18 percent larger.
Email Attachments
Spam Email
Email Attachments
Spam has long been thought of as a delivery mechanism for malware, especially when an attachment is involved. But Ciscos recent research on the use of email attachments in spam campaigns shows that this perception may be a myth. Only 3 percent of total spam has an attachment, versus 25 percent of valid email. And in the rare cases when a spam message does include an attachment, it is an average of 18 percent larger than a typical attachment that would be included in valid email. As a result, these attachments tend to stand out. In modern email, links are king. Spammers design their campaigns to convince users to visit websites where they can purchase products or services (often dubious). Once there, users personal information is collected, often without their knowledge, or they are compromised in some other way.
Only 3% of Spam has an Attachment, versus 25% of Valid Email Valid Email
3%
25%
As the Spoofed Brands analysis that appears later in this section reveals, a majority of spam comes from groups who seek to sell a very specific group of name-brand goodsfrom luxury watches to pharmaceuticalsthat are, in most cases, fake.
IPv6 Spam
While IPv6-based email remains a very small percentage of overall traffic, it is growing as more email users move to IPv6-enabled infrastructure. However, while overall email volumes are growing at a rapid clip, this is not the case with IPv6 spam. This suggests that spammers are hedging against the time and expense to migrate to the new Internet standard. There is no driving need for spammersand little to no material benefitto cause such a shift at present. As IPv4 addresses are exhausted and mobile devices and M2M communication drive explosive growth in IPv6, expect spammers to upgrade their infrastructure and accelerate their efforts.
18%
Figure 15: IPv6 Spam
more email users move to IPv6-enabled infrastructure. IPv6 Spam While IPv6-based email remains a very small percentage of overall traffic, it is growing as
In modern email, links are king. Spammers design their campaigns to convince users to visit websites where they can purchase products or services. Once there, users personal information is collected, often without their knowledge, or they are compromised in some other way.
JUN JUL AUG SEP OCT NOV DEC
66
67
Spoofed Brands
5% 50% 100%
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Prescription Drugs Luxury Watches Credit Card Business Reviews Professional Network Electronic Money Transfer Accounting Software Social Network Professional Associations Airline Mail Weight Loss Government Organization Windows Software Cellular Company Online Classifieds Taxes Human Growth Hormone News Electronic Payment Services Greeting Cards Luxury Cars Payroll Services Windows 8 consumer preview released Accounting software during U.S. tax season Cellular related spam coinciding with iPhone 5 release
With spoofed-brands spam email, spammers use organizations and products to send their messages in hopes that online users click on a link or make a purchase. The majority of spoofed brands are prescription drugs, such as anti-anxiety medication and painkillers. In addition, luxury watch brands form a constant layer of noise that retains consistency across the entire year. Ciscos analysis shows that spammers are also skilled at tying their campaigns to news events. From January to March 2012, Cisco data shows a spike in spam relating to Windows software, which coincided with the release of the Windows 8 operating system. From February to April 2012, during the U.S. tax season, analysis shows a precipitous increase in tax software spam. From January to March 2012, and then again from September to December 2012the beginning and the end of the yearspam relating to professional networks made grand entrances, perhaps because spammers know that people often begin job searches during these times of the year.
The bottom line is spammers are in it for the money, and over the years, they have learned that the quickest way to attract clicks and purchases is by offering pharmaceuticals and luxury goods and by tailoring their attacks toward events to which much of the world is paying attention.
From September to November 2012, spammers ran a series of campaigns posing as cellular companies, coinciding with the release of the iPhone 5. The bottom line: Spammers are in it for the money, and over the years, they have learned that the quickest way to attract clicks and purchases is by offering pharmaceuticals and luxury goods and by tailoring their attacks toward events to which much of the world is paying attention.
68
69
In the year ahead, for additional updates and in-depth analysis on security trends, and for information about the latest enterprise security-related publications from Cisco, visit the Cisco Security Reports website. http://www.cisco.com/go/securityreport For ongoing insight from Ciscos experts on a wide range of security topics, visit the Cisco Security Blog. blogs.cisco.com/security
A vendor that fails to evolve with threat technologiesand that does not disclose threatsrisks falling behind.
70
71
The threat landscape of today is not a problem caused by uneducated users visiting malicious sites or is it solved by blocking known bad locations on the web.
This report has demonstrated how attackers have become increasingly more sophisticated, going after the sites, tools, and applications that are least likely to be suspected, and users visit most frequently. Modern threats are capable of infecting mass audiences silently and effectively, not discriminating by industry, business, size or country. Cybercriminals are taking advantage of the rapidly expanding attack surface found in todays any-to-any world, where individuals are using any device to access their business network. As critical national infrastructure, businesses, and global financial markets continue their move to cloud-based services and mobile connectivity, an integrated, layered approach to security is needed to protect the burgeoning Internet of Everything. Hackers and cybercriminals take advantage of the fact that every private or public sector enterprise has its own IT security program, says John Stewart. Yes, we go to conferences and stay in touch with each other, but we really need to move from individualized IT security to one based on real-time intelligence sharing and collective response. Building a better security infrastructure doesnt mean creating a more complex architecturein fact, quite the opposite. Its about making the infrastructure and the elements within
Modern threats are capable of infecting mass audiences silently and effectively, not discriminating by industry, business size, or country.
72
73
it work together, with more intelligence to detect and mitigate threats. With the rapid adoption of BYOD, the reality of multiple devices per user, and growth of cloud-based services, the era of managing security capabilities on each endpoint is over. We must take a holistic approach to security that ensures we are monitoring threats across all vectors, from email to web to users themselves, says Michael Covington, Product Manager for Cisco SIO. Threat intelligence needs to be elevated above individual platforms in order to gain a network perspective. As threats increasingly target users and organizations across multiple vectors, businesses need to collect, store, and process all securityrelevant network activity to better understand the scope and extent of attacks. This level of analysis can then be augmented with the context of network activity to make accurate
and timely security decisions. As attackers become more sophisticated, enterprises must design security capabilities into the network from the beginning, with solutions that bring together threat intelligence, security policy, and enforceable controls across all touch points on the network. As the attackers become more sophisticated so, too, must the tools used to thwart their efforts. With the network providing a common fabric for communication across platforms, it will also serve as a means to protect the devices, services, and users that routinely use it to exchange sensitive content. The network of tomorrow is an intelligent one that must provide better security through a collaborative framework than previously possible through the sum of its individual components.
The network of tomorrow is an intelligent one that must provide better security through a collaborative framework than previously possible through the sum of its individual components.
74
75
It has become an increasing challenge to manage and secure todays distributed and agile networks.
Online criminals continue to exploit users trust in consumer applications and devices, increasing the risk to organizations and employees. Traditional security, which relies on the layering of products and the use of multiple filters, is not enough to defend against the latest generation of malware, which spreads quickly, has global targets, and uses multiple vectors to propagate. Cisco stays ahead of the latest threats using real-time threat intelligence from Cisco Security Intelligence Operations (SIO). Cisco SIO is the worlds largest cloud-based security ecosystem, in which more than 75 terabits of live data feeds from deployed Cisco email, web, firewall, and IPS solutions are analyzed each day. Cisco SIO aggregates data from across threat vectors and analyzes it using both automated algorithms and manual processing in an effort to understand how the threats propagate. SIO then categorizes threats and creates rules using more than 200 parameters. Security researchers also analyze information about security events that have the potential for widespread impact on networks, applications, and devices. Rules are dynamically delivered to deployed Cisco security devices every three to five minutes.
Cisco SIO is the worlds largest cloud-based security ecosystem, in which more than 75 terabits of live data feeds from deployed Cisco email, web, firewall, and IPS solutions are analyzed each day.
76
77
The Cisco SIO team also publishes security best practice recommendations and tactical guidance for thwarting threats. Cisco is committed to providing complete security solutions that are integrated, timely, comprehensive, and effectiveenabling holistic security for organizations worldwide. With Cisco, organizations can save time researching threats and vulnerabilities and focus more on taking a proactive approach to security. For early-warning intelligence, threat and vulnerability analysis, and proven Cisco mitigation solutions, please visit: http://www.cisco.com/security.
sources, including Cisco email, web, firewall, and intrusion prevention system (IPS) security solutions; these platforms sit on the front lines protecting customer networks from malicious content and intruders. In addition to these on-premise customer protection mechanisms, Cisco also collects data from a worldwide deployment of sensors that perform functions such as trapping spam and crawling the web to actively seek out new instances of malware. Using these tools and the data they collect, Ciscos massive network footprint gives SIO systems and researchers insight into a tremendous sampling of both legitimate and malicious activities on the Internet. No security vendor has total visibility into all malicious encounters. The data presented in this report is Ciscos perspective on the current state of the threat landscape and represents our best attempt to normalize data and reflect global trends and patterns based on the data available at the time.
Methodology
The analysis presented in this report is based on data that was gathered from a variety of anonymized global
Cisco collects data from a worldwide deployment of sensors that perform functions such as trapping spam and crawling the web to actively seek out new instances of malware.
78
79
The Internet of Things, by Michael Chui, Markus Lffler, and Roger Roberts, McKinsey Quarterly, March 2010: http://www.mckinseyquarterly.com/The_Internet_of_Things_2538. Cisco Event Response: Distributed Denial of Service Attacks on Financial Institutions, October 1, 2012: http://www.cisco.com/web/about/security/intelligence/ERP-financial-DDoS.html. Cisco Internet Business Solutions Group.
20
Maliciously Abusing Implementation Flaws in DNS, DNS Best Practices, Network Protections, and Attack Identification, Cisco.com: http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#3.
21
IP Spoofing, by Farha Ali, Lander University, available at Cisco.com: http://www.cisco.com/web/about/ ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html. Distributed Denial of Service Attacks, by Charalampos Patrikakis, Michalis Masikos, and Olga Zouraraki, National Technical University of Athens, The Internet Protocol Journal - Volume 7, Number 4. Available at: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html. DNS Tools, The Measurement Factory: http://dns.measurement-factory.com/tools.
3 4
22
The World Market for Internet Connected Devices2012 Edition, media release, IMS Research, October 4, 2012: http://imsresearch.com/press-release/Internet_Connected_Devices_Approaching_10_Billion_to_ exceed_28_Billion_by_2020&cat_id=210&type=LatestResearch. Cisco Internet Business Solutions Group.
23 24
5 6
Internet of Everything: Its the Connections That Matter, by Dave Evans, Cisco Blog, November 29, 2012: http://blogs.cisco.com/news/internet-of-everything-its-the-connections-that-matter/.
For more on DNS Tools, see DNS-OARC (https://www.dns-oarc.net/oarc/tools) and The Measurement Factory (http://dns.measurement-factory.com/tools/index.html). Secure BIND Template Version 7.3 07 Aug 2012, by TEAM CYMRU, cymru.com: http://www.cymru.com/ Documents/secure-bind-template.html. Response Rate Limiting in the Domain Name System (DNS RRL), RedBarn.org: http://www.redbarn.org/dns/ ratelimits.
25
Cisco Internet Business Solutions Group. C isco 2011 Annual Security Report, December 2011: http://www.cisco.com/en/US/prod/collateral/vpndevc/ security_annual_report_2011.pdf.
26
27
Remote Access and BYOD: Enterprises Working to Find Common Ground with Employees, 2011 Cisco Annual Security Report, December 2011, p. 10: http://www.cisco.com/en/US/prod/collateral/vpndevc/ security_annual_report_2011.pdf. Cisco Global Cloud Index: Forecast and Methodology, 20112016: http://www.cisco.com/en/US/solutions/ collateral/ns341/ns525/ns537/ns705/ns1175/Cloud_Index_White_Paper.html.
Arbor Networks ATLAS data is derived from honey pots deployed within service provider networks around the world; ASERT malware research; and, an hourly feed of anonymized data based on NetFlow, BGP, and SNMP correlation. The anonymized data provided by Arbor Peakflow SP customers is collated and trended within ATLAS to provide a detailed view of the threats and traffic patterns on the Internet. IPS Testing, Cisco.com: http://www.cisco.com/web/about/security/intelligence/cwilliams-ips.html. Bank of America and New York Stock Exchange under attack unt [sic], Pastebin.com, September 18, 2012: http://pastebin.com/mCHia4W5. Phase 2 Operation Ababil, Pastebin.com, September 18, 2012: http://pastebin.com/E4f7fmB5.
10
28
29
11
Ibid A Deep Dive Into Hyperjacking, by Dimitri McKay, SecurityWeek, February 3, 2011: http://www.securityweek. com/deep-dive-hyperjacking. India Asks Pakistan to Investigate Root of Panic, by Jim Yardley, The New York Times, August 19, 2012: http://www.nytimes.com/2012/08/20/world/asia/india-asks-pakistan-to-help-investigate-root-of-panic. html?_r=1&.
12
30 31
13
Cisco Event Response: Distributed Denial of Service Attacks on Financial Institutions: http://www.cisco.com/ web/about/security/intelligence/ERP-financial-DDoS.html. I dentifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions Applied Mitigation Bulletin: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27115. Security Intelligence Operations Tactical Resources, Cisco.com: http://tools.cisco.com/security/center/ intelliPapers.x?i=55.
32
14
Twitter Rumor Sparked Oil-Price Spike, by Nicole Friedman, WSJ.com, August 6, 2012: http://online.wsj. com/article/SB10000872396390444246904577573661207457898.html. T his originally appeared on the Cisco Security blog: http://blogs.cisco.com/security/sniffing-out-socialmedia-disinformation/ J ava.com: http://www.java.com/en/about/.
33
15
34
16 17
Service Provider Security Best Practices, Cisco.com: http://tools.cisco.com/security/center/ serviceProviders.x?i=76. Anagram courtesy of anagramgenius.com.
35 36 37
V ishwath Mohan and Kevin W. Hamlen. Frankenstein: Stitching Malware from Benign Binaries. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT), pp. 77-84, August 2012. M ohammad M. Masud, Tahseen M. Al-Khateeb, Kevin W. Hamlen, Jing Gao, Latifur Khan, Jiawei Han, and Bhavani Thuraisingham. Cloud-based Malware Detection for Evolving Data Streams. ACM Transactions on Management Information Systems (TMIS), 2(3), October 2011.
18
Cisco Applied Mitigation Bulletins, Cisco.com: http://tools.cisco.com/security/center/searchAIR.x. Cisco Intellishield Alert Manager Service: http://www.cisco.com/web/services/portfolio/product-technicalsupport/intellishield/index.html.
38
19
DDoS Attacks: 2013 Forecast, Experts Say Recent Hits Only the Beginning, by Tracy Kitten, BankInfoSecurity.com, December 30, 2012: http://ffiec.bankinfosecurity.com/ddos-attacks-2013forecast-a-5396.
39 40
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. All contents are Copyright 20112013 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Ciscos trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (020813 v2)